Beefy Boxes and Bandwidth Generously Provided by pair Networks
Come for the quick hacks, stay for the epiphanies.

comment on

( #3333=superdoc: print w/replies, xml ) Need Help??

Not sure if I misunderstood:

1. In order to use the C debugger, you would need access to the source. The source can be stashed away after the executable is created. - sorry this is a misstatement. It has been a long time since I've used gdb, so the source may not be required. Ahh! Just realized you were talking about the Perl debugger.

No, I was not talking specifically about the perl debugger, but of course, the perl debugger usually has source access (except for XS code).

Source code is not needed to debug a compiled program. You won't have nice C source in the debugger output, but you can step through the disassembled code and set breakpoints, even if the debug information has been stripped from the binary.

Semi-automatic disassemblers like IDA can be very helpful to find places to set breakpoints at runtime. Just reading the relevant parts of the disassembly can be sufficient, if the de-obfuscation / decryption code is a single function. And yes, IDA can disassemble executables for many different processors and operating systems.

2. The C program would not relinquish the password if the inode of the registered script has changed, meaning the script has changed - so a hacker can't add a "die" or just print the password.

I can make the perl program print out the secret and stop without ever touching the main script. Have a look at how I injected the DBIspy module.

I can have a second perl script modify the script and restore all meta-data in the inode (see lstat and especially utime). File size won't change for an injected die, I can easily pad the file with some commented-out garbage to the old size.

I can use environment variables to modify @INC and thus load modified modules. Your code surely uses strict somewhere. Guess how hard it would be to include DBIspy or similar in a modifed copy of

I can use LD_PRELOAD to load an additional library into the perl interpreter. Code in the library would be executed before perl's main(), would call the magic password program and abort the program before perl's main() is reached.

Update: strace-demo

/tmp>cat secret-keeper.c #include <stdio.h> int main(int argc, char ** argv) { // note: security checks omitted fputs("find me, I'm the secret",stdout); return 0; } /tmp>make secret-keeper cc secret-keeper.c -o secret-keeper /tmp>strip secret-keeper /tmp>cat #!/usr/bin/perl use strict; use warnings; my $secret=qx(./secret-keeper); print "The secret is <$secret>\n"; /tmp>perl The secret is <find me, I'm the secret> /tmp>strace -o trace perl The secret is <find me, I'm the secret> /tmp>grep -C5 find trace /dev/null trace-read(5, "", 4) = 0 trace-close(5) = 0 trace-ioctl(3, TCGETS, 0x7ffeddbf80a0) = -1 ENOTTY (Inappropria +te ioctl for device) trace-lseek(3, 0, SEEK_CUR) = -1 ESPIPE (Illegal see +k) trace-fstat(3, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0 trace:read(3, "find me, I'm the secret", 8192) = 23 trace-read(3, "", 8192) = 0 trace---- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=12034, + si_uid=1001, si_status=0, si_utime=0, si_stime=0} --- trace-fstat(3, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0 trace-close(3) = 0 trace-wait4(12034, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, NULL) = + 12034 trace:write(1, "The secret is <find me, I'm the "..., 40) = 40 trace-rt_sigaction(SIGHUP, NULL, {SIG_DFL, [], 0}, 8) = 0 trace-rt_sigaction(SIGINT, NULL, {SIG_DFL, [], 0}, 8) = 0 trace-rt_sigaction(SIGQUIT, NULL, {SIG_DFL, [], 0}, 8) = 0 trace-rt_sigaction(SIGILL, NULL, {SIG_DFL, [], 0}, 8) = 0 trace-rt_sigaction(SIGTRAP, NULL, {SIG_DFL, [], 0}, 8) = 0 /tmp>


Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)

In reply to Re^3: Hide DBI password in scripts by afoken
in thread Hide DBI password in scripts by danielgr

Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":

  • Are you posting in the right place? Check out Where do I post X? to know for sure.
  • Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
    <code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>
  • Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
  • Want more info? How to link or How to display code and escape characters are good places to start.
Log In?

What's my password?
Create A New User
Domain Nodelet?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others imbibing at the Monastery: (6)
As of 2023-11-28 09:34 GMT
Find Nodes?
    Voting Booth?

    No recent polls found